1: Please compute the Jacobi symbol ( 99

Size: px

Start display at page:

Download "1: Please compute the Jacobi symbol ( 99"

Barnard Stone
5 years ago
Views:

1 SCORE/xx: Math 470 Communications Cryptography NAME: PRACTICE FINAL Please show your work write only in pen. Notes are forbidden. Calculators, all other electronic devices, are forbidden. Brains are encouraged, but at most one (your own!) may be used per exam. 1: Please compute the Jacobi symbol ( ). The key trick to remember with Jacobi symbols is to repeatedly factor out 2-parts flip (via quadratic reciprocity) until the numbers get small enough to be trivial. Following the Theorem from Page 91 of our book (which will be reproduced for you on a cheat sheet), we proceed as follows: ( ) ( ) = (By Assertion (5), since 99=1003=3 mod 4.) ( ) 13 = (By Assertion (1), since 1003 = ) 99 ( ) 99 = (By Assertion (5), since 13=1 mod 4.) 13 ( ) 8 = (By Assertion (1), since 99= mod 13.) 13 ( ) 2 = (Since 8=2 2 2 has a square root mod 13 if only if 13 2 has a square root mod 13.) = ( 1) (By Assertion (4), since 13=5 mod 8.) 2 So the answer is 1. mod n. Instructor: J. Maurice Rojas 1 My edition of our book appears to have a typo in Assertion (4): the congruence should be mod 8, not

2 2: Suppose (p,α,β) = (43933,2,3) is the public part of an instance of the El Gamal digital signature scheme, you would like to break this instance, i.e., you would like to find the unique a {2,...,43931} such that α a =β, so you can start forging signatures on messages. (a): Please find a mod 3. (b): Please find a mod 7. (c): Suppose a friend tells you that a mod 2092 is 186. Find a. The Pohlig-Hellman Method (covered in class) tells us that, for small q, we can efficiently recover the last base-q digit, a 0, of a. This boils down to computing α 0 :=α p 1 q β 0 :=β p 1 q, then a (small) brute-force search find which a0 {0,...,q 1} satisfies α a 0 0 β 0 mod p. It will thus behoove us to find the binary expansions of : they are respectively = = The squares mod needed to get us started are then the following: 2 2 = 4, 2 22 = 16, 2 23 = 256, 2 24 = 21603, 2 25 = 33283, 2 26 = 31427, 2 27 = 42489, 2 28 =20285, 2 29 =4747, =40313, =12366, =31116, = = 9, 3 22 = 81, 3 23 = 6561, 3 24 = 36314, 3 25 = 13668, 3 26 = 11108, 3 27 = 23800, 3 28 =11831, 3 29 =2023, =6760, =7280, =15202, = Part (a): Using our preliminary computations, we obtain α 0 = = =34108 mod β 0 = = =34108 mod So then, it is clear straightaway that α 1 0=β 0 thus a mod 3 is exactly 1. Part (b): Similar to Part (a), we obtain that α 0 = = = =15760 mod β 0 = = = =24351 mod So now we start our brute-force search: α 2 0 = mod 43933, so we need not go any further. a mod 7 is thus clearly 2. Part (c): One could proceed directly from a 3 modulus version of the Chinese Remainder Theorem (CRT). However, it is easier here to simply find a mod 21 then use the simpler version of the CRT we saw in class. In particular, enumerating elements of the arithmetic progression 7j+2 we obtain {9,16,23,...} it is then clear that 16 1 mod 3. So a 16 mod 21. Since =43932 a {0,...,43931}, it is then clear that the CRT applied to the moduli will gives us a. A simple Extended Euclidean Algorithm calculation gives us ( 8) 2092=1. In other words, a mod should be ( 8) = mod So a = Note: The numbers you d encounter in an actual final would be a lot smaller. : )

3 3: Please review your midterm (particularly correcting any errors you may have made) your earlier homeworks quizzes.

4 4:ConsiderF 343 realizedasf 7 [t]/ t 3 +t+1. Pleaseexpress 1 t, 1 t+1, 1 t 2 aspolynomials in t of degree no more than 2. This problem was done in class. However, for the sake of checking answers, here is what Maple says: 1 t = 6t2 +6 (or t 2 1) 1 t+1 = t2 +6t+2 (or t 2 t+2) 1 t = 2 t2 +6t+1 (or t 2 t+1) Do please remember that while one can try to be clever with various algebraic identities, the safest fall-back to compute such inverses is the good old Extended Euclidean Algorithm.

5 5: Find the sum of the points (1,5) (9,3) on the elliptic curve C defined by y 2 =x 3 +2x+3 over F 19. Applying the elliptic curve addition law specifically to our curve C, we obtain that the group sum of (x 1,y 1 ) (x 2,y 2 ) is (x 3,y 3 ) where x 3 :=m 2 x 1 x 2, y 3 :=m(x 1 x 3 ) y 1, m is 3x y 1 or y 2 y 1 x 2 x 1, according as (x 1,y 1 )=(x 2,y 2 ) or not. (One should of course also remember that (x 3,y 3 ) is the point at infinity, in the event of an infinite slope.) So for the points at h, we simply get m= 3 5= = 1 = 5=14 mod 19 4 thus x 3 = =( 5) 2 1 9=25 1 9=15 mod 19 y 3 =14(1 15) 5= 5( 14) 5= 5 5 5= 30=8 mod 19. So our answer is (15,8).

6 6: Suppose A is a 3 digit integer of the form 21a where a is unknown. Please find a value for a such that there is a point on the elliptic curve defined by y 2 =x 3 +7x+15 (over F 593 ) with x-coordinate A. Note: This kind of calculation, over much larger fields, is basic in converting plain-text to points on elliptic curves over finite fields. This question is merely a Jacobi symbol question in disguise. In particular, once one tabulates the values of x 3 +7x+15 mod 593 as x ranges over {210+0,210+1,...,210+9}, it is clear that there is a y F 593 with (x,y) lying on our curve if only if x 3 +7x+15 has a square root mod 593. So after some work, our first table is as follows: x x 3 +7x+15 mod So after some work, our first table So now we merely compute Jacobi symbols. The resulting table is then the following: x ( x 3 +7x ) So we see that any a {5, 6, 8} would work

7 7: The Kraitchik-Lehmer Theorem gives a quick way to certify that an integer N is prime: exhibit a (k +1)-tuple of integers (a;p 1,...,p k ) such that (1) a N 1 1 mod N, (2) p 1,...,p k are all the prime divisors of N 1, (3) a (N 1)/pi 1 mod N for all p i. Verifying properties (1) (3) is then doable in time polynomial in log N. Note: The Kraitchik-Lehmer Theorem is recursive in the sense that the primality of each p i (if not obvious) must be certified by it s own k i -tuple, involving smaller primes which may also have to be certified by their own certificates, so on. Verify that the primality of 5521 is certified by the 5-tuple (11;2,3,5,23). In other words, do all the necessary computations implied by the Kraitchik-Lehmer Theorem. Verifying Property (1) is simple: a direct computation, employing the binary expansion of 5520 as recursive squaring, gives us that =1 mod (Note in particular that one must compute 11 2, =(11 2 ) 2, = ( ) 2,..., = ( ) 2 mod 5521 along the way.) Verifying Property (2) is also easy, taking appropriate care with what is meant. In particular, we are merely given that 2, 3, 5, 23 are the prime divisors of =5520, but we don t know their corresponding powers in the factorization of (Note that we should also check that 2, 3, 5, 23 are prime, but these numbers are small enough to be known primes. In the case of a certificate involving larger primes, we would have needed certificates for the subsidiary p i.) Figuring out the powers of 2, 3, 5, 23 dividing 5520 exactly is easy. First, 5520 is even, so Squaring to obtain higher powers of 2, we also see that , , but So we also easily see that So the 2-part of 5520 is 2 4, we can proceed with 5520= The 3-part of 345 is easier to obtain: we immediately see that but So the 3-part of 345 is just 3 we can proceed with 345 = 115. The 5-part 3 of 115 is just 5 then we are left with 115 =23. So = , we have thus verified Property (2). To verify Property (3) we merely compute /2, /3, /5, /23 mod 5521 via recursive squaring. In particular, the respective values are 5520, 5180, 1374, 485, none of which is 1. So we are done. Note: Clearly, this seems like an awful lot of effort to prove that 5521 is prime. However, for much larger numbers (e.g., with hundreds of digits beyond), the certificates from the Kraitchik-Lehmer Theorem are much easier to verify than running any factorization algorithm. Also, the historical importance is that Pratt was able to prove around 1975 that the Kraitchik-Lehmer Theorem implies that primality detection lies in NP.

8 8: In class, you ve learned that computing square roots mod N appears to be computationally difficult. In particular, one can factor large integers in probabilistic polynomial-time if computing square roots mod N is doable in polynomial-time. Given that N := , the following (shortened) list of square roots mod , show how to factor N. x x {±1,±661670,} {±2,± } {±3,± } {±4,± } {±5,±663663} {±6,±1993} You may recall from class that some classical factoring algorithms are based on computing gcd(n,x 2 y 2 ) for rom x y. The list above helps you avoid the work of making lots of rom choices. In particular, observing that x 2 y 2 =(x y)(x+y), observing that 36 has the smallest square roots in the list above, it appears that picking x = 1993 y = 6 may be promising. Indeed, since x 2 = y 2 mod N, we must have that N divides (x y)(x + y) = Since 0 < < = 4,000,000, we must then have that N= (One could also just multiply out but it saves time to use the preceding inequalities.) Checking divisibility by the primes no greater than 1999 =44, we then see that are prime we have found the complete factorization of N.

9 9: We ve discussed O-bounds for the complexity of some basic arithmetic operations but one can be more precise: Via a 2008 paper of D. J. Bernstein ( Fast multiplication its applications, downloadable from one can derive the following more explicit complexity upper bounds: Bound #1. Multiplying two integers, each with at most n digits, takes no more than 10n lg(n) lg(lg(n)) bit operations. Bound #2. Division with remainder, applied to two integers having no more than n digits each, takes no more than 17n lg(n) lg(lg(n)) bit operations. Bound #3. The Jacobi symbol ( a N), assuming a N have no more than n digits, can be computed within 20n 2 bit operations. When N is prime a is an integer relatively prime to N, one can then easily prove that a is a square if only if a (N 1)/2 1 mod N. So you can prove that a given N is composite (without factoring) by exhibiting an a that is a non-square mod N with a (N 1)/2 1 mod N. The Solovay-Strassen Theorem, combined with the Jacobi symbol ( a N), gives a fast romized compositeness test based on these ideas: when N is odd composite, at least half of the a (Z/nZ) satisfy ( a N) a (N 1)/2 mod N. Please estimate the number of bit operations you need to prove that is composite (if it really is composite) with probability at least Let N denote the large number stated above. As discussed in class, the Solovay-Strassen Theorem implies that we can pick 10 rom a in (Z/NZ) check the values of ( a N) a (N 1)/2 mod N to verify compositeness. So then, if N really is composite, the probability that we keep finding ( ) a N =a (N 1)/2 mod N is at most 1. Put another way, with probability at least 1023, we will actually ( find a certificate for the compositeness of N: an a (Z/NZ) with a ) a (N 1)/2 mod N. N So now we merely need to estimate the number of bit operations to compute ( a N a (N 1)/2 mod N, for a potentially having as many digits as N, ten times. Let lg(x) denote the base-2 log of x recall that lg(10)< At this point, we need to make 3 hypotheses clear. Note: On an actual complexity question on the final, I would certainly make these hypotheses clearly known on a cheat sheet. We now start counting bit operations. Counting digits, we see that our stated N above (along with (N 1)/2) has exactly 69 digits. So by Hypothesis 2, each computation of ( a N) will take no more than = bit operations. Counting bit operations for computing a (N 1)/2 is only slightly more involved. First, there is the computation of the binary expansion of (N 1)/2: this can be accomplished simply by converting digits, from low order to high order, successively adding bits in groups of 4. (This is because 0-9 involve at most 4 bits.) So converting (N 1)/2 takes no more than (4+5) 69=621 bit operations. (4 bit operations for the conversion of a digit to binary, +5 to add each new binary number to the current bit string.) One then needs to compute a 2, a 4 = (a 2 ) 2, a 8 = (a 4 ) 2,..., a 2229 mod N. This is because N has no more than 69 lg(10) =230 bits as a binary number. (The true number of bits is in fact 229 so we re not too far off!) Thanks to Hypothesis 1, each squaring mod N takes no more than (10+17) 69lg(69)lg(lg(69))< < bit operations. So we need no more than = bit operations to compute our dyadic powers of a mod N. To at last compute a (N 1)/2 )

10 mod N, we then observe that there are no more than 230 1s in the binary expansion of (N 1)/2. (There are actually 99.) So we need no more than 229 additional multiplications mod N to at last compute a (N 1)/2 mod N. This means no worse than an additional lg(69)lg(lg(69))< bit operations. In summary, computing a (N 1)/2 mod N takes no more than = bit operations. To conclude, our total bit operation count is thus no worse than 10( ) = 137, 079, 830. On most modern microprocessors, this means less than 0.1 seconds. However, this does not take into account cache usage, which makes the true time spent depend strongly on the underlying software implementation ( the skill diligence of the programmer). Indeed, if one is truly serious about understing the practical complexity of large integer calculations, one must also take into account the usage of memory.

MATH 25 CLASS 21 NOTES, NOV Contents. 2. Subgroups 2 3. Isomorphisms 4

MATH 25 CLASS 21 NOTES, NOV Contents. 2. Subgroups 2 3. Isomorphisms 4 MATH 25 CLASS 21 NOTES, NOV 7 2011 Contents 1. Groups: definition 1 2. Subgroups 2 3. Isomorphisms 4 1. Groups: definition Even though we have been learning number theory without using any other parts